<!DOCTYPE html>
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" href="https://best.openssf.org/assets/css/style.css">
<link rel="stylesheet" href="checker.css">
<script src="checker.js"></script>
<script src="format-strings.js"></script>
<link rel="license" href="https://creativecommons.org/licenses/by/4.0/">

</head>
<body>
<!-- For GitHub Pages formatting: -->
<div class="container-lg px-3 my-5 markdown-body">
<h1>Lab Exercise Format Strings and Templates</h1>
<p>
This is a lab exercise on developing secure software.
For more information, see the <a href="introduction.html" target="_blank">introduction to
the labs</a>.

<p>
<h2>Task</h2>
<p>
<b>Practice eliminating string formatting vulnerabilities in Python.</b>

<p>
<h2>Background</h2>
<p>
In this exercise, we'll adjust our string formatting so that it doesn't allow a user to control
the <a href="https://docs.python.org/3/tutorial/inputoutput.html#the-string-format-method"><tt>
format string</tt></a>.

<p>If a user can control the <tt>format string</tt> in Python they can access
value which they shouldn't. Particularly if those variable's values can be returned to the user
as output, it could lead to information disclosure beyond what was intended by the developer.

<p>
<h2>Task Information</h2>
<p>
Please change the code below so the string formatting cannot disclose arbitrary
program values.

<p>
The server-side program is written in Python and allows a user to specify a <tt>format string</tt> to control the output format of an event, shown here as <tt>user_format</tt>. The developer probably expected the user to provide a format string like <tt>'{event.level}'</tt> to control what is shown and where.

<p>
However, in many programming languages, allowing an untrusted user to control a format sting is a vulnerability. Format strings are miniature programming languages; running code provided by an untrusted user is dangerous. In the case of Python, an attacker might be able to provide a sneaky format string value like <tt>'{event.__init__.__globals__[CONFIG][SECRET_KEY]}'</tt> and reveal a secret value like a password or secret key.

<p>
In this case, as in many, there is no need for an untrusted user to control the format string at all. Where we can, we should use a constant format that cannot be controlled by a potential attacker. For purposes of this lab, instead of letting the user control the formatting string, set the format to the fixed value <tt>'{event.level},{event.message}'</tt> and don't forget to remove the no-longer-needed format parameter.

<p>
Use the “hint” and “give up” buttons if necessary.

<p>
<h2>Interactive Lab (<span id="grade"></span>)</h2>
<p>
<form id="lab">
<pre><code><textarea id="attempt0" rows="3" cols="60" spellcheck="false"
>def format_event(user_format, new_event):
   return user_format.format(event=new_event)</textarea
></code></pre>
<button type="button" class="hintButton">Hint</button>
<button type="button" class="resetButton">Reset</button>
<button type="button" class="giveUpButton">Give up</button>
<br><br>
<p>
<i>This lab was developed by Jason Shepherd at
<a href="https://access.redhat.com"
>Red Hat</a>.</i> with an modified version of the example code from Armin Ronacher's
<a href="https://lucumr.pocoo.org/2016/12/29/careful-with-str-format/">Be Careful with Python's New-Style String Format</a> article, and
modified by David A. Wheeler.
<br><br>
<p id="correctStamp" class="small">
<textarea id="debugData" class="displayNone" rows="20" cols="65" readonly>
</textarea>
</form>
</div><!-- End GitHub pages formatting -->
</body>
</html>
